Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #23

March 21, 2014

Cybersecurity is changing in the face of forces ranging from cloud and mobile to Snowden. An impressive group of CISOs are meeting in Boston at the end of April with John Pescatore and other experts to sort out key security trends. Probably the most useful executive-level cybersecurity meeting in the country. http://www.sans.org/info/154465

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER************************ Sponsored By Bit9 ******************************* Data security has become the No. 1 priority for many retailers in 2014. Want to learn how your company can implement strategies to protect against costly data breaches? Find out 10 ways you can achieve this goal while maintaining required PCI compliance. Download this check list today! http://www.sans.org/info/155305 ***************************************************************************TRAINING UPDATE

TOP OF THE NEWS

Target May Face Federal Charges Over Breach (March 19, 2014)

Target has been communicating with the US Federal Trade Commission (FTC), but it is not yet known if the retailer will face federal charges related to a massive data breach that compromised payment card information of millions of customers late last year. -http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver[Editor's Note (Pescatore): I've been a big fan of FTC enforcement actions in the past that have happened *before* shoddy practices resulted in actual impact to consumers. I don't see much value in the FTC piling on here, but Target would be wise to commit to continuing voluntary third party (beyond PCI) assessments for the next 10 years. (Murray): The American people expect, and media demands, that government provide blood sacrifice whenever something goes wrong. If government is unable to identify and punish the criminal, then it is well advised to further punish the victim. Regulatory agencies work better than law enforcement for this purpose; it is simply too difficult to prove "criminal" negligence. ]

Many Companies Still Not Disclosing Breaches or Sharing Attack Information (March 18, 2014)

According to a report from Arbor Networks and The Economist Intelligence Unit, many companies still do not publicly acknowledge data security breaches. While 77 percent of organizations responding to the survey said they had experienced a breach in the past year, 57 percent said they do not voluntarily disclose breaches that are not required to be disclosed by laws. Just over one-third of respondents said they share breach information with others in their industry. -http://www.darkreading.com/attacks-breaches/many-organizations-dont-go-public-with-d/240166693[Editor's Note (Pescatore): The 43% that *are* making non-required disclosures need to explain to their shareholders why they are doing so. There are many, many things that go wrong at every business every day that are not required to be disclosed publicly and therefore are not. Imagine if every retail company disclosed every shoplifting or employee theft event! (Assante): There are no surprises here as companies are struggling with the benefits of sharing attack information past trusted circles. The lack of discussion and facts related to both attacker moves and actions and target weaknesses/struggles/breakthroughs hurts our collective understanding and advancement of practices. While at NERC, I was hopeful and had a vision that we could do as good as a job of detailing cyber incidents as we did analyzing bulk power system outages and events. NERC has accomplished transparency on how regulated entities are struggling with compliance, but there are few organizations or regulatory programs that provide timely and 'responsible' transparency around reported cyber incidents. (Paller): The key to breaking through on sharing is the British Information Exchange model - trusted groups of companies in tightly controlled disclosure groups. In the US federal involvement in these has been counter productive because they were mostly truing to force or coerce disclosure. However, data is emerging that DHS's NCICC has developed a new model, closer to the British model, that seems to be gaining corporate participation. PS The key is the British model is that the government gives useful (often sensitive/classified) data for a long time (generally 12 months) before the companies feel enough confidence to start sharing back. (Honan): Another worrying finding from this report is that 1 in 3 businesses have no incident response plan. ]

Univ. of Maryland Discloses Another Data Breach (March 20, 2014)

The University of Maryland College Park (UMCP) has disclosed another security breach, the second in as many months. UMCP cybersecurity task force chair Ann G. Wylie said that in the latest breach, the personal information of "one senior university official" was compromised. The earlier breach affected hundreds of thousands of current and former students, faculty, and staff. -http://www.baltimoresun.com/news/maryland/education/blog/bs-md-umd-another-cyberattack-20140320,0,798878.story[Editor's Note (Paller): This story illuminates a key opportunity to improve cybersecurity around the world. Colleges need to teach hands-on cybersecurity as part of their core programming classes, not as electives. The web sites (which now UMCP officers say are being reviewed) were developed by people who rarely learned secure coding or about vulnerabilities in web application development systems like ColdFusion which are today the most commonly exploited access method for malicious actors attacking state and local governments and universities. Stopping errors from getting into the applications in the first place is the most promising proactive cyber defense action, but unless UMCP President Mote and his counterparts at other schools force their faculty to first learn and then teach secure, defensive programming as part of the core curriculum, they will continue to be a major part of the cybersecurity problem. ]************************** Sponsored Links: ****************************** 1) Custom cyber attacks evade traditional defenses There are no "signatures" for advanced targeted cyber attacks, because each attack is unique. Cyber criminals custom create them to penetrate your network and steal your data, so traditional cyber defenses can fall short and leave you unprotected. Watch the video: http://www.sans.org/info/155310

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465 *****************************************************************************

THE REST OF THE WEEK'S NEWS

A recent uptick in Network Time Protocol (NTP) reflection attacks has prompted the patching of vulnerable devices. Approximately 93 percent of the 1.6 million vulnerable NTP servers have now been patched. -http://www.bbc.com/news/technology-26662051

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/